Add option in Translate Api to construct elastic search subquery in search rego policy
@hmarkovic @hutchins @srabanaguha
We have added the preprocessor in Translate Api in M18 to handle the http calls and the allow/deny rules in search policy. The current translate logic is still limited to simple Rego syntax. To close the gap, we can add an option in the preprocessor to allow the search policy to construct its own elastic search subquery in Rego files. The current Translate api needs be updated to check the preprocessor results for the new proposed optional field "es_subquery":
preprocess_config := {
"input_from_preprocessor": {
# any results from the preprocessor evaluation that will be used by the allow/deny rules
},
"has_allow_rule": true/false,
"has_deny_rule": true/false,
"es_subquery": {"query": {...}} # new proposed optional field
}If the "es_subquery" field exists, the Translate api will skip the compile/translate logic and simply return this field back to the search service.
And here is a search policy example:
package osdu.partition["osdu"].search
import data.osdu.partition["osdu"].search_preprocessor
preprocess_config := {
"es_subquery": search_preprocessor.es_subquery
}package osdu.partition["osdu"].search_preprocessor
# Search policy example to allow search all data records
es_subquery := {
"query": {
"match_all": {}
}
}package osdu.partition["osdu"].search_preprocessor
# Search policy example to deny search any data records
es_subquery := {
"query": {
"match_none": {}
}
}package osdu.partition["osdu"].search_preprocessor
# Search policy example to search data records for a particular data group
es_subquery := {
"query": {
"bool": {
"should": [
{
"bool": {
"filter": [
{
"term": {
"acl.viewers": "data.site.administrators"
}
}
]
}
},
{
"bool": {
"filter": [
{
"term": {
"acl.owners": "data.site.administrators"
}
}
]
}
}
]
}
}
}Edited by Dadong Zhou